While I have in the past been focused on Windows exploitation (and a beginner with that) I find myself having to expand my horizons (CPT). In keeping in line with my training, I need to enumerate information on the machine (vm) that I want to attack. Unfortunately I have little ideas where to start. The book I have access to at the moment seems fixed on Windows enumeration, and google has not been much better. I see results on Linux NIC enumeration.

Steps taken so far:Scanned my network and found a "victim".Scanned the host and performed port, OS and version detection."banner grabbing", connecting to the services with netcat.

at this point there is a gap in my knowledge. I know that eventually I will need to crack passwords and eventually gain access to the system, but I do know that if I want to gain access through one of the open services, I will need to enumerate the users and possibly other information on the machine. Can anyone point me in the right direction? My main purpose at this point is to learn how to attack linux rather than the actual exploitation of this machine.

truthfully I am surprised I have received no responses yet. I'll continue with the hope that someone can help, or at the least I can chronicle my search.

As you may know, I am attempting to rise above the level of script kiddie knowledge of backtrack, metasploit, and indeed hacking.

my current roadblock is I believe, privilege escalation. I am working on a vulnerable vm where I have gained user level privileges. I have researched possible vulnerabilities and exploit code. Problem: I have always used metasploit to deliver code. I have no idea how to manually exploit a service or cause a desirable condition. Also, I don't understand the source code so I can understand it and what it does, how to use it to exploit the vulnerability.

I have done some research, I am reading the Wikipedia article on shellcode (dont laugh) and it states:

"Injecting the shellcode is often done by storing the shellcode in data sent over the network to the vulnerable process, by supplying it in a file that is read by the vulnerable process or through the command line or environment in the case of local exploits."

I take this to mean injecting the code into packets that are read by a vulnerable application and the code is executed(remote exploit?), or the same through a file(how do I get the file on the system?), or somehow causing the required condition on the local machine. (how?)

Sometimes there is an available privilege escalation exploit, other times you have to really stalk it.

What I tend to do is have a look at all of the processes, see what is running with more privileges than me and if there are any ways of interacting with that service to get code execution.

Offensive Security's Pentesting With Backtrack is a great course that gets you really thinking about all of this, finding out this for every piece of software and configuration file takes a long time and you get really desperate, and all you get is 'Try Harder!'

I would recommend the course if you really like a challenge and the skills you learn alone are worth the price of the course

Check sites like exploitdb to see if you can find shellcode to escalate privs for the appropriate kernel. You will have to see if the compiler tools are included in the box. Most of the time they are there and usable (fortunately, but prod servers should probably not have these installed...)

Also, check for SUID/SGID files and see if you can find any with vulns. Check for world writable files called by scripts, in cron, and always check ps for processes currently running as root. Check /etc/passwd to see if it is shadowed as some systems (increasingly rare) do not shadow. Check for passwords in scripts, in a users history, and even in databases. Check for things like phpmyadmin, webmin, etc..

I completely understand where you are coming from. My issue is that well, quite simply, I am on new ground here, and the training and material I have available is insufficient to give me the needed guidance.

I found an exploit that I wanted to use (and indeed, later I found out it would work) but I have no idea how to deliver it to the host. All of my experience is with either metasploit's preloaded delivery system, or literally being togged into the system with GUI access, and I can for instance, download the code from the internet and run it.

As for PWB, I think I am a little far from that at this point. I am slowly coming to realize that I like to be walked down the path a few times before I explore the area. I am looking at taking a step back, maybe looking at THA or HD that were reviewed here recently. If not, it may be a case of looking for a mentor when I get back to the states, or dropping the cash for a live course.

@ hell_razor Thank you, I had seen mention of these techniques in Hacking exposed, and my course material. unfortunately the information is lacking. The find command is given, but no explanation of the options (a google search gave some information about the command, but i dont understand for example:

find / -perm +4000 -user root -type f -printIn this string I don't know what -perm or +4000 (-2000) are, and again, how would I get the code to the target?

I'm going to reinvestigate the SUID vulnerabilities. By executing the FIND string above, I was able to find several processes running as root, but I need to look for exploits, and see how they are exploited. I'll report back.

If you've got user level privs to the box via some sort of shell and you have some exploit you want to run, this is what you need to do:

1. Transfer the uncompiled code to the box. You can do this via wget or ftp or any other method of file transfer. Most linux boxes have wget installed. Keep in mind, you never want to run a pre-compiled binary exploit on your box. More than likely its a back door or something bad. Always use uncompiled code from a reputable exploit database.2. Compile the code (if its C or C++) directly on the victim box using gcc. If gcc or g++ isnt installed you'll need to compile the code somewhere else and then just transfer the binary to your "victim." If this is the case, its best to compile it on the same kernel as your victim.3. Change your new binary to executable on your victim box and run it.

The bottom line is that you'll need some sort of remote access to the box already. There are many instances where you'll have a remote shell but the shell only has limited privs. This could be via some webapp exploit or remote service exploit or via some social engineering.

You need to keep researching - hell_razor has some good points to continue your research. Also, I would also recommend PWB, if you're using metasploit and enumerating services, you could study the PWB information and it would likely "turn on the light bulb." Seeing all that content in an organized fashion is very valuable

@cd1zz, completely right. I was thinking along those lines, but I am just beginning with compiling code and whatnot on linux.

The box did not have gcc installed, so I ended up compiling the code for my chosen exploit on my linux pc(vm). Unfortunately there were some errors, and while one was simple to figure out (adding a return line at the end of the code), the other requires me to know something about programming.

I also downloaded other exploits and attempted to run them as well. all of them either didn't compile correctly or didnt work, or in the case of one, caused a DOS. That was a learning experience.

at this point i'm not sure where i'm going from here. today is my last of two days off, I have several options available to me. I may step back and start really getting to know linux, and perhaps get an intro to programing (Start with BASIC?). I've also received some feedback suggesting that perhaps I try some more vulnerable vms, perhaps I should start there and work my way up. Thoughts?

Some programming experience can be necessary if the code you're using has bugs in it or like you experienced, has compilation errors. OR you could use some googleFU to get you where you need to be.

From a step 1 perspective, you don't really need to understand how the code works but it is helpful if you're familiar with some C or C++ to understand the flow of the code. Obviously down the road when you're finding your own kernel vulnerabilities and developing your own 0 days, then you'll need to program heavy

For now, I would just try to get that exploit to compile correctly..... Which one are you looking at?

Sometimes exploit writers will sabotage the exploit code in such a way that people with skill can debug and fix (maybe a missing semicolon or misuse of quotes or mistyped variable, etc.) and script kiddies can't figure out. You will learn to find the errors. Also, exploits don't get the same level of QC as mainstream software so go ahead and lower your expectations for stable code. You may get lucky, or not. I wind up having to fix others broken code as often as not (when I can figure it out)

It's really hard to say why you were having issues. I would have started with appending a semicolon to the end of line 568 since the error is indicative of the compiler expecting a statement after the label (out:) and a semicolon classifies as a statement. I have not debugged this code beyond a brief cursory glance and a Google search so that's just a start. I'll also disclaim that I'm a complete novice as a programmer.

FYI, I am nearly complete with this challenge. I only have one challenge left, which surprisingly is where I started having problems: cracking the hashes. But I am much more confident now that eventually I will find a list with the passwords in them.

Is it really crazy that I managed to get root on two boxes and not have the root password?